In this article, we’ll take a look back at the changes to the OWASP Top 10 this past year.
It’s been four years since OWASP updated its Top 10 list, but this year we got three brand new categories along with a reshuffling of the rest. As we head into 2022, we’ll take a look at the generalization of the guidance offered by OWASP, changes in how the team determined which issues were included/excluded, and how some things never change.
With lists from years past, the specificity meant that they could be used (some would say misused) as a starting point for identifying vulnerabilities present in your application. After all, the number of ways a malicious party could attack your application is high, so one way to get started was to focus on the items mentioned on the OWASP Top 10 list.
However, the 2021 update of the Top 10 has changed the list to be more akin to an awareness document, specifically regarding patterns and risks to look out for when writing software and reviewing it for possible security issues. Rather than focusing on specific vulnerabilities (or the symptoms of problematic coding from a security perspective), OWASP has opted instead to focus on higher-level categories of vulnerabilities.
It seems that the goal was to lean into the perspective that security should shift left and be considered earlier in the software development life cycle (SDLC). That said, we have heard some argue that making the categories more generic means that the list is vague and less helpful.
Previous versions of the OWASP Top 10 included vulnerabilities based on the probability that the vulnerability would be exploited, followed by exploitability, detectability, and impact. However, the OWASP authors, with the 2021 revision, have opted to focus mostly on exploitability and technical impact.
Furthermore, the updated list is
[M]ore data-driven than ever but not blindly data-driven. We selected eight of the ten categories from contributed data and two categories from the Top 10 community survey at a high level.
In short, OWASP is trying to balance between looking at the data people contribute (which is a look into the past) and the here-and-now information provided by AppSec personnel securing applications today.
Changing how something is measured will change the results that you see, and the OWASP Top 10 list is no different. Not only is the data from which the list compiled changing, but the metrics also used to determine which issues are included and which issues aren’t isn’t the same as it was before.
Despite the changes to the Top 10 list and the OWASP team’s increased focus on providing something that should be used as guidance (and not a checklist), there is a lot that has stayed the same over the years. For example, broken authentication continues to be a major problem. Cross-site scripting has been added to the injection section, but this issue is still mentioned by OWASP, and that is notable. This is the same story with SQL injection.
Despite the passage of time, apps (both old and new) are still vulnerable to many of the same issues that were mentioned in the 2017 version of the list (and even the 2013 version of the list).
Application security continues to shift left, with those involved in application development focusing on potential vulnerabilities earlier and earlier in the software development lifecycle (SDLC). We see this focus reflected in the changes the OWASP team implemented in the 2021 Top 10 list, but there are still things that remain problematic today that were problematic almost a decade ago.